Add GUI support for IPv6 addresses in Internet Service Database (ISDB), and allow them to be configured in firewall policies.

FortiGates, FortiSwitches, FortiAPs, and FortiExtenders can download an EOS (end of support) package automatically from FortiGuard during the bootup process or by using manual commands. Based on the downloaded EOS package files, when a device passes the EOS date, a warning message is displayed in the device's tooltip, and the device is highlighted in the GUI.

The End-of-Support security rating check rule audits the EOS of FortiGates and Fabric devices. This allows administrators to have clear visibility of their Security Fabric, and help prevent any security gaps or vulnerabilities that may arise due to any devices that are past their hardware EOS date.

Display IoT devices with known vulnerabilities on the Security Fabric > Asset Identity Center page's Asset list view. Hovering over the vulnerabilities count displays a View IoT Vulnerabilities tooltip, which opens the View IoT Vulnerabilities table that includes the Vulnerability ID, Type, Severity, Reference, Description, and Patch Signature ID. Each entry in the Reference column includes the CVE number and a link to the CVE details.

The Security Fabric > Security Rating > Security Posture report includes FortiGuard IoT Detection Subscription and FortiGuard IoT Vulnerability checks. The FortiGuard IoT Detection Subscription rating check will pass if the System > FortiGuard page shows that the IoT Detection Service is licensed. The FortiGuard IoT Vulnerability rating check will fail if any IoT vulnerabilities are found.

To detect IoT vulnerabilities, the FortiGate must have a valid IoT Detection Service license, device detection must be configured on a LAN interface used by IoT devices, and a firewall policy with an application control sensor must be configured.

Introduce a multi-tiered approach to determining the action taken on a video. The channel filter is checked first, and if the video's channel matches a configuration entry, the corresponding action is taken. If not, the FortiGuard category filter is checked and the corresponding action is taken if the video's category matches a configuration entry. If neither of these conditions are met, the default action specified in the video filter profile is used. Logging is also enabled by default.

config videofilter profile
    edit <name>
        set default-action {allow | monitor | block}
        set log {enable | disable}
    next
end

Add the Fabric Overlay Orchestrator, which is an easy-to-use GUI wizard within FortiOS that simplifies the process of configuring a self-orchestrated SD-WAN overlay within a single Security Fabric without requiring additional tools or licensing. Currently, the Fabric Overlay Orchestrator supports a single hub architecture and builds upon an existing Security Fabric configuration. This feature configures the root FortiGate as the SD-WAN overlay hub and configures the downstream FortiGates (first-level children) as the spokes. After configuring the Fabric Overlay, you can proceed to complete the SD-WAN deployment configuration by configuring SD-WAN rules.

Allow a managed FortiSwitch ID to be edited and store the device serial number as a new read-only field.

config switch-controller managed-switch
    edit <id>
        set sn <serial_number>
    next
end

The device ID can be configured to a maximum of 16 alphanumeric characters, including dashes (-) and underscores (_).

Some related config, execute, and diagnose commands have been modified to configure and display user-definable FortiSwitch IDs accordingly. The system data and daemons have been modified to use the new switch serial number field to ensure the existing switch controller and dependent features still work.

Add Logs Sent Daily chart for remote logging sources (FortiAnalyzer, FortiGate Cloud, and FortiAnalyzer Cloud) to the Logging & Analytics Fabric Connector card within the Security Fabric > Fabric Connectors page and to the Dashboard as a widget for a selected remote logging source.

Increase the number of supported NAC devices to 48 times the maximum number of FortiSwitch units supported on that FortiGate model.

Support DVLAN mode 802.1ad and 802.1Q on NP7 platforms over a virtual wire pair, which provides better performance and packet processing.

Support the blocking of a discovered FortiExtender device on a FortiGate configured as a FortiExtender controller using Reject Status in the GUI and set authorized disable in the CLI.

config extension-controller extender
    edit <name>
        set id <string>
        set authorized disable
    next
end

A FortiGate can allow single sign-on (SSO) from FortiCloud and FortiCloud IAM users with administrator profiles inherited from FortiCloud or overridden locally by the FortiGate. Similarly, users accessing the FortiGate remotely from FortiGate Cloud can have their permissions inherited or overridden by the FortiGate.

Add guards to Node.JS log generation and move logs to tmpfs to prevent conserve mode issues. Node.JS logs only last a calendar day and will store up to 5 MB of logs. Once this limit is exceeded, the log file is deleted and a new file is created. A delete option has been added to the Node.JS debug command.

# diagnose nodejs logs {list | show <arg> | show-all | delete <arg>}

The FortiGate device ID is carried by the IKEv2 message NOTIFY payload when it is configured.

config vpn ipsec phase1-interface
    edit <name>
        set dev-id-notification enable
        set dev-id <string>
    next
end

This device ID configuration is required when the FortiGate is configured as a secure edge LAN extension for FortiSASE, and allows FortiSASE to distribute IKE/IPsec traffic according to the FortiGate device ID to achieve load balancing.

Improve replacement message displayed for YouTube videos blocked by video filtering. When a user visits a video directly by URL, a full-page replacement message is displayed. When a user loads a video from YouTube, the page will load but the replacement message will display in the video frame.

Support adding YAML to the file name when backing up the config as YAML, and detecting file format when restoring the configuration.

The execute restore yaml-config command has been removed and execute restore config should be used.

In the GUI, the File format field has been removed from the Restore system Configuration page.

On FortiGates licensed for hyperscale firewall features, the following commands display summary information for IPv4 or IPv6 hardware sessions.

# diagnose sys npu-session list-brief

# diagnose sys npu-session list-brief6

Internet Service Database (ISDB) on-demand mode replaces the full-sized ISDB file with a much smaller file that is downloaded onto the flash drive. This file contains only the essential entries for Internet Services. When a service is used in a firewall policy, the FortiGate queries FortiGuard to download the IP addresses and stores them on the flash drive. The FortiGate also queries the local MAC Database (MADB) for corresponding MAC information.

config system global
    set internet-service-database on-demand
end

FortiPolicy can be added to the Security Fabric. When FortiPolicy joins the Security Fabric and is authorized in the Security Fabric widget, it appears in the Fabric topology pages. A FortiGate can grant permission to FortiPolicy to perform firewall address and policy changes. Two security rating tests for FortiPolicy have been added to the Security Posture scorecard.

Add auto-discovery-crossover option under config vpn ipsec phase1-interface to block or allow (default) the set-up of shortcut tunnels between different network IDs.

config vpn ipsec phase1-interface
    edit <name>
        set auto-discovery-crossover {allow | block}
    next
end

When auto-discovery-crossover is set to block on the auto-discovery sender:

• In a single hub case, the hub knows the network ID of all the shortcut endpoints.
• The shortcut offer trigger will be suppressed if IKE detects that the ingress tunnel and egress tunnel have different network IDs.

When auto-discovery-crossover is set to block on the auto-discovery receiver:

• In a multi-hub case, the hub may not know the network ID of the endpoint where traffic is forwarded.
• Peers will exchange information on whether the shortcut cross-over is allowed.
• The shortcut initiator will send its network ID and cross-over setting to the shortcut responder in the shortcut query message.
• The shortcut responder will then send back its own network ID and any error status.
• If cross-over is not allowed on any side:
  • The shortcut responder will not allocate a phase 1 and sets the error status in the shortcut reply.
  • The shortcut initiator will not initiate the shortcut connection if it receives an error in the shortcut reply.

When auto-discovery-crossover is set to allow:

• The cross-over shortcut connection will be initialized with network ID of 0.
• The non-cross-over shortcut connection will use the configured network ID number.

Support Shielded and Confidential VM modes on GCP where the UEFI VM image is used for secure boot, and data in use is encrypted during processing.

FortiGate VMs with eight or more vCPUs can be configured to have a minimum of eight cores to be eligible to run the full extended database (DB). Any FortiGate VM with less than eight cores will receive a slim version of the extended DB. This slim-extended DB is a smaller version of the full extended DB, and it is designed for customers who prefer performance.

Harden REST API and GUI access.

Use API endpoint domain name from instance metadata to support FortiOS VM OCI DRCC region.

Allow users to configure the RADIUS NAS-ID as a custom ID or the hostname. When deploying a wireless network with WPA-Enterprise and RADIUS authentication, or using the RADIUS MAC authentication feature, the FortiGate can use the custom NAS-ID in its Access-Request.

config user radius
    edit <name>
        set nas-id-type {legacy | custom | hostname}
        set nas-id <string>
    next
end

When configuring a CGN IP pool for a hyperscale firewall, exclude IP addresses within this IP pool from being used for source NAT (excludeip). This allows users to remain secure and mitigate attacks by ensuring that global IP addresses within a CGN IP pool that are being targeted by external attackers are not re-used by other users of the hyperscale firewall.

config firewall ippool
    edit <name>
        set type cgn-resource-allocation
        set startip <IPv4_address>
        set endip <IPv4_address>
        set excludeip <IPv4_address>, <IPv4_address>, <IPv4_address> ...
    next
end

This option is currently not supported with a fixed allocation CGN IP pool (when set cgn-fixedalloc enable is configured).

Support the AWS T4g instance family with the FG-ARM64-AWS firmware image. Support the AWS C6a and C6in instance families with the FG-VM64-AWS firmware image.

The wtp-profile of FAP-432F, FAP-433F, FAP-U432F, and FAP-U433F models can set external antenna parameters when the corresponding external antenna is installed.

config wireless-controller wtp-profile
    edit <name>
        config radio-1
            set optional-antenna {none | FANT-04ABGN-0606-O-R | FANT-04ABGN-0606-P-R}
        end
    next
end

Implement real-time file system integrity checking in order to:

• Prevent unauthorized modification of important binaries.
• Detect unauthorized binaries and prevent them from running.

Implement BIOS-level signature and file integrity checking by enforcing each FortiOS GA firmware image, AV engine files, and IPS engine files to be dually-signed by the Fortinet CA and a third-party CA. The BIOS verifies that each file matches their secure hash as indicated by their certificates. Users are warned when there is a failed integrity check, and the system may be prevented from booting depending on the severity and the BIOS security level.

Support Saudi Cloud Computing Company (SCCC) and alibabacloud.sa domain (a standalone cloud backed by AliCloud).

Make the health check sensitive enough to detect small amounts of packet loss by decreasing the link monitor check interval and probe timeout minimum limit down to 20 ms, which will significantly impact VOD/voice.

Support deploying VMware FortiGate VMs directly as a Zero Trust Application Gateway using the OVF template (.vapp). ZTNA related parameters such as EMS server, external and internal interface IPs, and application server mapping can be configured during OVF deployment. ZTNA policies, authentication schemes, rules, and user groups are also bootstrapped.

Improve GUI memory consumption for FortiGates with 2 GB of RAM or less.